Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 16
April 21, 2005

SANS Newsletters Home

Users who moved away from Microsoft products (to Firefox and RealPlayer) in an effort to avoid security problems are facing high risk vulnerabilities this week. Even Mac users needto install a security patch this week. Not to be out done, users of Internet Explorer also have a critical new vulnerability to contend with. See #1, #2, #4, and #3 below. Also, because working exploit code is now circulating, Microsoft Exchange users and Oracle users should install patches on a priority basis if they haven't already. (#6 and #7 below)

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#3, #6, #8)
    • Third Party Windows Apps
    • 6
    • Mac Os
    • 2 (#4)
    • Linux
    • 4
    • BSD
    • 1
    • Unix
    • 5 (#5)
    • Cross Platform
    • 26 (#1, #2, #7)
    • Web Application
    • 32
    • Network Device
    • 3

************ SPONSORED BY SANS ROCKY MOUNTAN 2005 *********************

Just two weeks until SANS comes to Denver to host nine immersion tracks plus short programs on Cutting Edge Hacker Techniques, Security Policy Development, Security Awareness Training, and more. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at http://www.sans.org/rockymnt2005 What attendees say: "SANS is the ultimate security training conference. Bar none. It is the most intensive and informative program available. It's a must have for infosec professionals." (Aaron Despain, TriWest health Care) "I have attended several of SANS rivals, and SANS blew them away!" (Alton Thomas, US Marine Corps)

************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
BSD
Unix
Cross Platform
Web Application
Network Device

************************* UPCOMING WEB CAST *****************************

Join Stephen Northcutt for an exclusive webcast "The Log Management Industry - An Untapped Market" https://www.sans.org/webcasts/show.php?webcastid=90585

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: RealNetworks RealPlayer RAM File Processing Overflow
  • Affected:
    • Windows
    • RealPlayer version 10.5 builds 1040 through 1059
    • RealPlayer versions 8/10/Enterprise
    • RealOne Player v1/v2
    • Mac
    • RealPlayer 10
    • RealOne Player
    • Linux
    • RealPlayer prior to version 10.0.0.4
    • Helix Player prior to version 10.0.0.4

  • Description: RealPlayer, a very popular cross-platform media player, contains a buffer overflow in processing Real Media (".ram") files. A ".ram" file specifies the URL where media clips are stored. The buffer overflow occurs because RealPlayer does not check the length of the hostname specified in a media clip's URL. As a result, a .ram file containing the following entry " http://<long hostname>/example.ram" will lead to the buffer overflow. The flaw can be exploited to execute arbitrary code on the client system with the privileges of the logged-on user. Since many browsers automatically open a ".ram" file with realplayer, the flaw may be leveraged without any user interaction.

  • Status: RealPlayer has issued updates for all platforms. Users should be advised to upgrade their player by clicking "Tools" or "Help" menu and then choosing "Check For Updates".

  • Council Site Actions: This software is not officially supported at any of the council sites. However, a few of the sites plan to notify their users.

  • References:
  • (2) MODERATE: Microsoft Windows Explorer Remote Script Injection
  • Affected:
    • Windows 2000

  • Description: Windows Explorer reportedly contains a flaw that can be exploited to execute arbitrary script code on a Windows client. Windows Explorer, in its default configuration, displays information about some types of files, such as the author's name, attributes, etc., in the preview pane when the file is selected. If the author's name resembles an email address, the name is transformed into a "mailto:" link for display. A problem arises because the author's name is not sufficiently sanitized for shell meta-characters. A specially crafted author's name in certain files can lead to execution of script code when the file is selected. Note that it is not necessary to open the file; pre-viewing the file is sufficient to leverage the flaw. An attacker can construct a malicious file in a shared network folder, and entice a victim via e-mail or webpage to browse his shared folder. Proof-of-concept Word documents have been posted.

  • Status: Microsoft has not confirmed, no updates available. A suggested workaround is to choose the "Windows Classic Folders" view under "Tools->Folder Options" in any Explorer window. Block the ports 139/tcp and 445/tcp to prevent the attacks originating from the Internet.

  • Council Site Actions: All of the reporting council sites are waiting for a patch from the vendor. Several have commented that they are already blocking the affected ports (139 and 445) at their network security perimeter. One site commented they will rely on the Cisco security agent software to prevent execution of the Trojan code.

  • References:
  • (3) MODERATE: Mac OS X Cumulative Security Update (April 15, 2005)
  • Affected:
    • Mac OS X client and server version 10.3.9
    • Safari browser version 1.2

  • Description: Apple has released a cumulative security update for Mac OS X on April 15, 2005. This update fixes a vulnerability in Safari browser that can be potentially exploited to execute arbitrary JavaScript code with the privileges of the logged-on user. The problem arises due to a flaw in the "XMLHttpRequest" object that allows an attacker to read arbitrary files present on the client system. The other problems fixed by this update can be exploited only by local attackers.

  • Status: Apply the fixes referenced in the Apple Advisory 301327.

  • Council Site Actions: Four of the reporting council sites are using the affected software. All plan to patch during their next regularly schedule system update process.

  • References:
Other Software
  • (4) MODERATE: xv Remote Code Execution Vulnerabilities
  • Affected:
    • xv version 3.x

  • Description: xv is an image manipulation program for UNIX systems that can handle a large number of image formats such as gif, jpeg, tiff etc. The program ships by default with many Linux distributions, and can be configured as a default image viewer for web browsers. The program contains a buffer overflow in the Planetary Data System (PDS) image decoding routine, format string vulnerabilities in handling tiff and PDS image formats, and remote command execution flaw due to insufficient checking of shell meta-characters in filenames. A malicious image (in a webpage or email) may exploit these flaws to execute arbitrary code on the client system. The technical details required to exploit these flaws can be obtained by comparing the fixed and the vulnerable versions of the source code.

  • Status: Gentoo confirmed, fixes available.

  • Council Site Actions: Two of the reporting council sites are using the affected software. The first site does not officially support the software and has notified their users. The other site has a large number of systems on which xv can be executed, either from a local installation or from a shared network file system. As far as they know, no significant number of systems have a web-browser configuration in which xv is automatically invoked. Therefore, it is relatively unlikely that malicious images will be viewed using xv. They plan to update to a newer xv version this summer.

  • References:
Exploit Code
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 16, 2005

This list is compiled by Qualys (www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4237 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.16.1 - CVE: CAN-2005-1191
  • Platform: Windows
  • Title: Microsoft Windows Explorer Preview Pane Script Injection Vulnerability
  • Description: Microsoft Windows Explorer on Windows 2000 is vulnerable to a script injection issue due to a failure in the application to filter out potentially harmful characters. An attacker may leverage this issue to inject and execute malicious script code in a vulnerable machine. Please refer the link below for list of vulnerable systems.
  • Ref: http://www.securityfocus.com/archive/1/396224
  • 05.16.2 - CVE: CAN-2005-1150
  • Platform: Third Party Windows Apps
  • Title: Sun Java System Web Server Unspecified Denial of Service
  • Description: Sun Java System web server is affected by a denial of service vulnerability. Sun Java System Web Server versions 6.0 and earlier are known to be vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57760-1
  • 05.16.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: DameWare Mini Remote Control Authentication Credentials Persistence Weakness
  • Description: DameWare NT Utilities is an system management application for Windows. It is reported to be vulnerable to authentication credentials persistence weakness due to improper handling of authentication credential information. DameWare Development Mini Remote Control Server versions 4.9 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13199/
  • 05.16.4 - CVE: CAN-2005-1168
  • Platform: Third Party Windows Apps
  • Title: Musicmatch Jukebox Arbitrary File Overwrite
  • Description: Musicmatch Jukebox is a media player application. It is vulnerable to an arbitrary file overwrite via the "bstrSavePath" argument. Musicmatch Jukebox versions 10.00.2047 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13167/info/
  • 05.16.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Musicmatch Jukebox Unspecified Remote Buffer Overflow
  • Description: Musicmatch Jukebox is a utility designed to locate, identify, and playback music files hosted by the Musicmatch service. It has an unspecified buffer overflow condition that can be triggered remotely. This can cause denial of service or remote code execution.
  • Ref: http://www.securityfocus.com/bid/13174/
  • 05.16.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Neslo Desktop Rover Malformed Packet Remote Denial of Service
  • Description: Neslo Desktop Rover is a software application for Microsoft Windows that provides KVM functionality. Neslo Desktop Rover is prone to a remote denial of service. Reports indicate that the software will crash when a malformed packet is processed on TCP port 61427. A remote attacker may exploit this condition to crash the software and effectively deny service for legitimate users. Neslo Desktop Rover version 3.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/396353
  • 05.16.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WheresJames Webcam Publisher Web Server Buffer Overflow
  • Description: WheresJames Webcam Publisher is a webcam software package. A problem exists in the handling of remote HTTP GET requests by the software. The service does not perform proper bounds checking, making it possible to overwrite sensitive process memory with a custom GET request. An attacker could leverage this issue to gain unauthorized access to a system using the vulnerable software with the privileges of the service.
  • Ref: http://sourceforge.net/projects/wpub/
  • 05.16.8 - CVE: CAN-2005-0976
  • Platform: Mac Os
  • Title: Apple Safari Remote Local Zone Script Execution
  • Description: Apple Safari is a tabbed browser application developed by Apple Computers. Safari is affected by a remote local zone script execution vulnerability. Safari versions 1.2.3 and earlier, Safari RSS 2.0 pre-release and Omni Group OmniWeb 5.1 are known to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8423
  • 05.16.9 - CVE: CAN-2005-0715
  • Platform: Mac Os
  • Title: Apple Mac OS X AppleFilingProtocol Information Disclosure
  • Description: Apple Mac OS X supports AppleShare, a proprietary network file sharing protocol. The AppleFileServer is Apple's server that implements this protocol. AppleFileServer provides Apple Filing Protocol (AFP) services for Mac OS X and Mac OS X server. The AFP Server is prone to an information disclosure vulnerability. This vulnerability affects Apple Mac OS X and OS X Server version 10.3.8.
  • Ref: http://www.securityfocus.com/advisories/8267
  • 05.16.10 - CVE: CAN-2005-1141
  • Platform: Linux
  • Title: GOCR ReadPGM Remote Client-Side Buffer Overflow
  • Description: GOCR is a optical character recognition utility designed to recognize characters by processing PNM image files. GOCR is affected by a remote, client-side integer overflow vulnerability. GOCR versions 0.40 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395979
  • 05.16.11 - CVE: CAN-2005-1125
  • Platform: Linux
  • Title: Libsafe Multi-threaded Process Race Condition Security Bypass
  • Description: Libsafe is a security utility that serves as a wrapper around unsafe C functions. When Libsafe detects an occurrence of memory corruption in one of the functions it wraps, it will call the Libsafe "_libsafe_die()" function to kill the application. This exposes a window of opportunity in multi-threaded processes where Libsafe checking is not enabled and the "_libsafe_die()" function is still executing. Libsafe version 2.0-16 is affected.
  • Ref: http://www.securityfocus.com/archive/1/395999
  • 05.16.12 - CVE: CAN-2005-1122
  • Platform: Linux
  • Title: Monkey HTTP Daemon Format String
  • Description: Monkey is a web server. It is vulnerable to a format string issue in the CGI processing function. Monkey HTTP Daemon version 0.9.1 is not affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200504-14.xml
  • 05.16.13 - CVE: CAN-2005-1122 CAN-2005-1123
  • Platform: Linux
  • Title: Monkey HTTP Daemon Zero Length File Request Denial of Service
  • Description: Monkey is an open source Web server. Monkey HTTP Daemon is affected by a remotely exploitable denial of service vulnerability. Monkey HTTP Daemon versions 0.9.0 and earlier are known to be vulnerable.
  • Ref: http://security.gentoo.org/glsa/glsa-200504-14.xml
  • 05.16.14 - CVE: CAN-2005-1126
  • Platform: BSD
  • Title: FreeBSD Kernel SIOCGIFCONF Local Information Disclosure
  • Description: A local information disclosure vulnerability affects the FreeBSD kernel due to a failure of the affected kernel to securely handle potentially sensitive memory when providing data to user processes. The problem occurs when the SIOCGIFCONF ioctl, through the ifconf() function call, provides a list of network interfaces to user processes. FreeBSD kernel versions earlier than 5.4 are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8414
  • 05.16.15 - CVE: Not Available
  • Platform: Unix
  • Title: Oops! Proxy Server Remote Format String Vulnerability
  • Description: Oops! is a proxy server package. It is vulnerable to a remote format string issue because the application fails to properly sanitize user-supplied input in the "auth()" function. An attacker can leverage this issue to crash the server or run arbitrary code. Oops! versions 1.5.53 and earlier are reported vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/13172/discussion/
  • 05.16.16 - CVE: CAN-2005-1177
  • Platform: Unix
  • Title: Webmin and Usermin Configuration File Unauthorized Access
  • Description: Usermin is a web-based user interface for Unix/Linux users. Webmin is a web-based interface for system administration of Unix/Linux operating systems. Usermin and Webmin are affected by a configuration file access validation vulnerability. Usermin versions 1.0 00 and earlier and Webmin versions 1.160 and earlier are known to be vulnerable.
  • Ref: http://www.webmin.com/uchanges.html http://www.webmin.com/changes.html
  • 05.16.17 - CVE: Not Available
  • Platform: Unix
  • Title: JAWS Glossary HTML Injection Vulnerability
  • Description: JAWS is a content management system. The Glossary module is vulnerable to an HTML injection due to insufficient sanitization of user-supplied input. JAWS versions 0.5 beta2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13254/info/
  • 05.16.18 - CVE: CAN-2005-0665
  • Platform: Unix
  • Title: XV Image Decoders Multiple Unspecified Vulnerabilities
  • Description: XV is an image editing application that supports multiple image formats. It is vulnerable to multiple unspecified input validation issues due to a failure of the application to properly sanitize input. An attacker may exploit these issues to execute arbitrary code with the privileges of the vulnerable application. XV version 3.10a is reported vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8431
  • 05.16.19 - CVE: Not Available
  • Platform: Unix
  • Title: XV Image File Name Remote Command Execution
  • Description: XV is an image editing application that supports multiple image formats. XV is affected by a remote, client-side command execution vulnerability. XV versions 3.10a and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8431
  • 05.16.20 - CVE: CAN-2005-1133
  • Platform: Cross Platform
  • Title: IBM iSeries AS400 POP3 Server Remote Information Disclosure
  • Description: IBM iSeries AS400 computers are reported vulnerable to a remote information disclosure vulnerability. Error messages from the POP3 service can be used to enumerate user accounts.
  • Ref: http://www.securityfocus.com/bid/13156/
  • 05.16.21 - CVE: CAN-2005-1042
  • Platform: Cross Platform
  • Title: PHP Group Exif Module IFD Tag Integer Overflow
  • Description: PHP is prone to an integer overflow vulnerability in the EXIF module. PHP versions 4.3.10 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8424
  • 05.16.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Net-Server Perl Module Logging Function Format String
  • Description: Rob Brown Net-Server is a server engine module for Perl. It is reported to be vulnerable to a remote format string issue due to improper sanitization of the "log" parameter of the "Server.pm" module. Rob Brown Net-Server versions 0.87 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13193
  • 05.16.23 - CVE: CAN-2005-1141
  • Platform: Cross Platform
  • Title: GOCR Remote Client-Side Integer Overflow
  • Description: GOCR is an optical character recognition application. It is vulnerable to an integer overflow issue due to insufficient validation of user-supplied image size values prior to copying them into static process buffers. GOCR Optical Character Recognition Utility versions 0.40 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395979
  • 05.16.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kerio MailServer WebMail Remote Resource Exhaustion
  • Description: Kerio MailServer is vulnerable to a remote resource exhaustion vulnerability in the WebMail service. A remote attacker may leverage this issue to cause the affected application to hang, possibly denying service to legitimate users. The vendor has addressed this issue in Kerio MailServer version 6.0.9.
  • Ref: http://www.kerio.com/kms_history.html
  • 05.16.25 - CVE: CAN-2005-0718
  • Platform: Cross Platform
  • Title: Squid Proxy Aborted Connection Remote Denial of Service
  • Description: Squid Proxy is a web proxy software package. It is reported to be vulnerable to a denial of service issue due to improper handling of malicous network requests. Squid version 2.5 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13166
  • 05.16.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sumus Game Server Remote Buffer Overflow
  • Description: Sumus Game Server is designed to facilitate play of an internet-based version of the mus card game. It is affected by a remote buffer overflow vulnerability. Sumus versions 0.2.2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395832
  • 05.16.27 - CVE: CAN-2005-1118
  • Platform: Cross Platform
  • Title: RSA Security Authentication Agent Cross-Site Scripting
  • Description: RSA Security Authentication Agent is a utility designed to secure network-based access to enterprise networks. Insufficient sanitization of the "postdata" parameter in an HTTP POST request to the "/WebID/IISWebAgentIF.dll" library exposes the application to a cross-site scripting issue. RSA Security Authentication Agent version 5.2 is vulnerable.
  • Ref: http://www.rsasecurity.com/node.asp?id=1176
  • 05.16.28 - CVE: CAN-2005-1164, CAN-2005-1165
  • Platform: Cross Platform
  • Title: Yager Game Data Block Denial of Service Vulnerability
  • Description: Yager Development Yager Game is a air combat game. It is is vulnerable to a remote denial of service issue due to a failure of the application to properly handle exceptional network data. An attacker may leverage this issue to freeze a multiplayer game that is currently in progress. Yager Game versions 5.24 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395903
  • 05.16.30 - CVE: CAN-2005-1182
  • Platform: Cross Platform
  • Title: IBM OS/400 Incoming Remote Command Denial of Service
  • Description: The Incoming Remote Command service for IBM OS/400 allows users to run a command on a remote system that has the service enabled. It is reported vulnerable to an unspecified denial of service condition.
  • Ref: http://www.securityfocus.com/bid/13214/
  • 05.16.31 - CVE: CAN-2005-1184
  • Platform: Cross Platform
  • Title: Multiple Vendor TCP Session Acknowledgement Number Denial of Service
  • Description: Multiple Vendor TCP/IP stack implementations are reported vulnerable to a denial of service issue and occurs when an erroneous TCP acknowledgement number is encountered in an active TCP session stream. An attacker can inject a rogue TCP packet containing a valid sequence number and an invalid acknowledgement number into a target TCP stream to cause this issue to result in a degradation of the target connection, effectively denying service for legitimate users. Please refer the following link for vulnerable systems.
  • Ref: http://www.securityfocus.com/bid/13215/info/
  • 05.16.32 - CVE: CAN-2005-0753
  • Platform: Cross Platform
  • Title: CVS Unspecified Buffer Overflow and Memory Access
  • Description: CVS is the Concurrent Versions System. It is reported to be vulnerable to an unspecified buffer overflow issue due to improper boundary checks. CVS versions 1.12.11 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13217
  • 05.16.33 - CVE: CAN-2005-1156, CAN-2005-1157
  • Platform: Cross Platform
  • Title: Mozilla Firefox Search Plug-In Remote Script Code Execution Vulnerability
  • Description: Mozilla Suite and Firefox are reported to be vulnerable to a remote script code execution issue due to failure of the application to provide secure access validation prior to implementing search plug-ins. Mozilla Browser 1.7.6 and earlier as well as Firefox 1.0.2 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13211
  • 05.16.34 - CVE: CAN-2005-1155
  • Platform: Cross Platform
  • Title: Mozllia Favicon Link Tag Remote Script Code Execution
  • Description: Mozilla Suite and Mozilla Firefox are vulnerable to a remote script code execution. The application will execute arbitrary javascript with a "<LINK rel="icon">" tag due to failing to deny remote unauthorized access to trusted local interfaces. Firefox versions 1.0.3 and Mozilla Suite versions 1.7.7 are not vulnerable.
  • Ref: http://www.mikx.de/firelinking/
  • 05.16.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera SSL Security Feature Design Error
  • Description: Opera is a web browser available for a number of platforms. Opera is affected by a design error that can result in a false sense of security. Opera versions 8 Beta 3 and earlier are known to be vulnerable.
  • Ref: http://www.geotrust.com/resources/advisory/sslorg/sslorg-advisory.htm
  • 05.16.36 - CVE: CAN-2005-1158
  • Platform: Cross Platform
  • Title: Mozilla Firefox Search Target Sidebar Script Code Execution
  • Description: Mozilla Firefox is affected by a script code execution issue. When a malicious page is loaded in the "_search" sidebar panel, any other tabbed page targeting the "_search" sidebar will be executed with the privileges of the unsuspecting user that loaded it. Mozilla Firefox version 1.0.3 is not affected.
  • Ref: http://www.securityfocus.com/advisories/8430
  • 05.16.37 - CVE: CAN-2005-0752
  • Platform: Cross Platform
  • Title: Mozilla Firefox PLUGINSPAGE Remote Script Code Execution
  • Description: Mozilla Firefox is affected by a remote script code execution vulnerability. Mozilla Firefox versions 1.0.2 and earlier are known to be vulnerable.
  • Ref: http://www.mozilla.org/security/announce/mfsa2005-34.html
  • 05.16.38 - CVE: CAN-2005-1153
  • Platform: Cross Platform
  • Title: Mozilla Suite/Firefox Blocked Pop-Up Window Remote Script Code Execution
  • Description: Mozilla Suite is affected by a remote script code execution vulnerability. Mozilla Browser versions 1.7.6 and earlier, Firefox versions 1.0.2 and earlier and Netscape versions 7.2 and earlier are known to be vulnerable.
  • Ref: http://www.mozilla.org/security/announce/mfsa2005-35.html
  • 05.16.39 - CVE: CAN-2005-1154
  • Platform: Cross Platform
  • Title: Mozilla Suite And Firefox Global Scope Pollution Cross-Site Scripting
  • Description: A remote cross-site scripting vulnerability affects Mozilla Suite and Mozilla Firefox. An attacker may exploit this issue to execute arbitrary script code in the context of a page that is currently being viewed. This may facilitate the theft of cookie based authentication credentials as well a other attacks.
  • Ref: http://www.mozilla.org/security/announce/mfsa2005-36.html
  • 05.16.40 - CVE: Not Available
  • Platform: Cross Platform
  • Title: XV Planetary Data System Image Decoder Format String Vulnerability
  • Description: xv is an image editing application. It is reported to have a format string issue in the Planetary Data System (PDS) image decoder. This allows an attacker to execute arbitrary code on a vulnerable system.
  • Ref: http://www.securityfocus.com/advisories/8431
  • 05.16.41 - CVE: CAN-2005-1160
  • Platform: Cross Platform
  • Title: Mozilla Suite DOM Code Execution
  • Description: Both the Mozilla Suite and Firefox are vulnerable to code execution issue due to the application neglecting to properly verify Document Object Model property values. Firefox version 1.0.3 and Mozilla Suite version 1.7.7 are not vulnerable.
  • Ref: http://www.mozilla.org/security/announce/mfsa2005-41.html
  • 05.16.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Java Web Proxy Server Multiple Buffer Overflow Vulnerabilities
  • Description: Sun Java System Web Proxy Server is a proxy server. It is reported to be vulnerable to multiple unspecified remote buffer overflow vulnerabilities. Sun Java Web Proxy Server version 3.6 SP7 is not vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57763-1
  • 05.16.44 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MPlayer RTSP Server Line Response Remote Buffer Overflow
  • Description: MPlayer is a multimedia audio and video application. MPlayer is affected by a remote heap-based buffer overflow vulnerability. MPlayer versions 1.0 pre1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8443
  • 05.16.45 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Adobe Acrobat Reader Unspecified File Parsing Memory Corruption
  • Description: Adobe Acrobat Reader is an application designed for reading Portable Document Format (PDF) files. Adobe Acrobat Reader is prone to a memory corruption vulnerability. It is reported that the issue presents itself when the affected software is processing malformed files.
  • Ref: http://www.adobe.com/products/acrobat/readstep2.html
  • 05.16.46 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Photo Album Module Album_Search.PHP SQL Injection
  • Description: Photo Album is a module for the phpBB bulletin board system. Photo Album is affected by an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "mode" parameter of "album_search.php" before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/13155
  • 05.16.47 - CVE: CAN-2005-1115
  • Platform: Web Application
  • Title: phpBB Photo Album Module album_cat.php Cross-Site Scripting
  • Description: Photo Album is a module for phpBB bulletin board system. Insufficient sanitization of the "sid" parameter in the "album_cat.php" script exposes the application to a cross-site scripting issue.
  • Ref: http://www.securityfocus.com/archive/1/395720
  • 05.16.48 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Photo Album Album_Comment.PHP Cross-Site Scripting
  • Description: Photo Album is a module for the phpBB bulletin board. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "album_comment.php" script. An attacker can exploit this issue to steal cookie-based authentication credentials. Photo Album version 2.0.53 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395720
  • 05.16.49 - CVE: Not Available
  • Platform: Web Application
  • Title: S9Y Serendipity exit.php SQL Injection
  • Description: Serendipity is a web log application. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "url_id" parameter of the "exit.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13161
  • 05.16.51 - CVE: CAN-2005-1043
  • Platform: Web Application
  • Title: PHP Group Exif Module IFD Nesting Denial of Service
  • Description: PHP is vulnerable to a denial of service condition when deeply nested EXIF IFD (Image File Directory) data is processed. This issue could manifest itself in Web applications that allow users to upload images.
  • Ref: http://www.php.net/ChangeLog-4.php#4.3.11
  • 05.16.52 - CVE: CAN-2005-1117
  • Platform: Web Application
  • Title: All4WWW-Homepagecreator index.php Arbitrary Remote File Inclusion
  • Description: All4WWW-Homepagecreator is a home page creator. Insufficient sanitization of the "site" parameter of the "index.php" script exposes the application to a remote file include issue. All4WWW-Homepagecreator version 1.0a is affected.
  • Ref: http://www.securityfocus.com/archive/1/395831
  • 05.16.53 - CVE: CAN-2005-1169
  • Platform: Web Application
  • Title: Mafia Blog Administrator Authentication Bypass
  • Description: Mafia is web based blog software. Mafia is affected by an authentication bypass vulnerability regarding the administrator functions. Mafia versions 4 Beta and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395995
  • 05.16.54 - CVE: CAN-2005-1180
  • Platform: Web Application
  • Title: PHP-Nuke Surveys Module HTTP Response Splitting
  • Description: PHP-Nuke is a content management system. It is vulnerable to an HTTP response splitting vulnerability in the Surveys module. This issue is due to insufficient sanitization of user-supplied input of the "forwarder" parameter. PHP-Nuke version 7.6 is reported to be vulnerable.
  • Ref: http://www.digitalparadox.org/advisories/pnuke.txt
  • 05.16.55 - CVE: CAN-2005-1135
  • Platform: Web Application
  • Title: SPHPBlog Search.PHP Cross-Site Scripting
  • Description: SPHPBlog is a simple PHP blog. SPHPBlog is affected by a cross-site scripting vulnerability. SPHPBlog versions 0.4.0 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13170/info/
  • 05.16.56 - CVE: CAN-2005-1162
  • Platform: Web Application
  • Title: OneWorldStore OWProductDetail.ASP HTML Injection
  • Description: OneWorldStore is web-based storefront software implemented is ASP. OneWorldStore is affected by an HTML injection vulnerability. All versions of OneWorldStore are known to be vulnerable.
  • Ref: http://oneworldstore.com/support_security_issue_updates.asp
  • 05.16.57 - CVE: CAN-2005-1140
  • Platform: Web Application
  • Title: myBloggie Comment HTML Injection Vulnerability
  • Description: myBloggie is a web-based blog using BBCode Image tags. An HTML injection issue allows attackers to execute cookie-based authentication theft.
  • Ref: http://www.securityfocus.com/archive/1/395988
  • 05.16.58 - CVE: CAN-2005-1171
  • Platform: Web Application
  • Title: Datenbank Module For PHPBB Cross-Site Scripting
  • Description: The datenbank module is a module for phpBB. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "id" parameter of the "mod.php" script.
  • Ref: http://www.securityfocus.com/bid/13210
  • 05.16.59 - CVE: CAN-2005-1183
  • Platform: Web Application
  • Title: mvnForum Search Cross-Site Scripting
  • Description: mvnForum is web bulletin board software. Insufficient sanitization of user-supplied input exposes the application to a cross-site scripting issue. mvnForum version 1.0 RC4 is affected.
  • Ref: http://www.securityfocus.com/bid/13213/info/
  • 05.16.60 - CVE: CAN-2005-1172
  • Platform: Web Application
  • Title: Coppermine Photo Gallery HTML Injection
  • Description: Coppermine Photo Gallery is a web-based image gallery. It is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input before writing to log files. Coppermine Photo Gallery versions 1.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/396080
  • 05.16.61 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Knowledge Base Module KB.PHP SQL Injection
  • Description: Knowledge Base Module is a module for the popular phpBB bulletin board system. Knowledge Base Module is affected by an SQL injection vulnerability. Knowledge Base Module versions 2.0.13 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/396098
  • 05.16.62 - CVE: CAN-2005-1181
  • Platform: Web Application
  • Title: Ariadne CMS Remote File Include Vulnerability
  • Description: Ariadne CMS is a content management system. A remote file include vulnerability in it allows remote attackers to execute arbitrary PHP scripts in the context of the web server. This may facilitate unauthorized access.
  • Ref: http://www.securityfocus.com/bid/13206/
  • 05.16.63 - CVE: Not Available
  • Platform: Web Application
  • Title: OneWorldStore Multiple SQL Injection Vulnerabilities
  • Description: OneWorldStore is web-based storefront software. It is vulnerable to some SQL injection conditions that can be used to compromise the remote backend database.
  • Ref: http://www.securityfocus.com/archive/1/395899
  • 05.16.64 - CVE: CAN-2005-1161
  • Platform: Web Application
  • Title: OneWorldStore owProductDetail.asp SQL Injection
  • Description: OneWorldStore is a web-based storefront application. Insufficient sanitization of the "idProduct" parameter of the "owProductDetail.asp" script exposes the application to an SQL injection issue.
  • Ref: http://www.securityfocus.com/archive/1/395899
  • 05.16.65 - CVE: CAN-2005-1162
  • Platform: Web Application
  • Title: OneWorldStore OWContactUs.ASP Cross-Site Scripting
  • Description: OneWorldStore is a web-based storefront implemented is ASP. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to "owConstactUs.asp". An attacker may leverage this issue to steal cookie-based authentication credentials or execute other attacks. All current versions of OneWorldStore are vulnerable.
  • Ref: http://oneworldstore.com/support_security_issue_updates.asp
  • 05.16.66 - CVE: CAN-2005-1162
  • Platform: Web Application
  • Title: OneWorldStore owListProduct.asp Cross-Site Scripting
  • Description: OneWorldStore is web-based storefront software. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "bSub" parameter of the "owListProduct.asp" script.
  • Ref: http://www.securityfocus.com/bid/13185
  • 05.16.67 - CVE: CAN-2005-1161
  • Platform: Web Application
  • Title: OneWorldStore DisplayResults.ASP SQL Injection Vulnerability
  • Description: OneWorldStore is a web-based storefront implemented in ASP. It is vulnerable to an SQL injection issue due to a failure of the application to properly sanitize user-supplied input to the "DisplayResults.asp" script. An attacker may leverage this issue to compromise the application, gain access to sensitive information or modify data. All current known versions of OneWorldStore are vulnerable.
  • Ref: http://oneworldstore.com/support_security_issue_updates.asp
  • 05.16.68 - CVE: Not Available
  • Platform: Web Application
  • Title: UBBCentral UBB.threads Printthread.PHP SQL Injection
  • Description: UBBCentral UBB.threads is a web-based forum application that is implemented in PHP. UBB.threads is affected by an SQL injection vulnerability. UBB.threads versions 6.0 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/396222
  • 05.16.69 - CVE: Not Available
  • Platform: Web Application
  • Title: CityPost PHP LNKX Message.PHP Cross-Site Scripting
  • Description: CityPost PHP LNKX is a PHP script that is designed to automate reciprocal links exchange. It is affected by a cross-site scripting vulnerability. An attacker can leverage this towards theft of cookie-based authentication credentials from legitimate clients.
  • Ref: http://www.securityfocus.com/bid/13255/
  • 05.16.70 - CVE: CAN-2004-1341
  • Platform: Web Application
  • Title: Info2www Cross-Site Scripting
  • Description: Info2www is a utility that converts info files into HTML. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input. Info2www version 1.2.2.9 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13252
  • 05.16.71 - CVE: Not Available
  • Platform: Web Application
  • Title: CityPost PHP Image Editor Cross-Site Scripting
  • Description: CityPost Image Cropper/Resizer is a PHP script for JPEG manipulation. It is vulnerable to a cross-site scripting issue due to a failure of the application to properly sanitize user-supplied input to the "image-editor-52.php" script. An attacker may leverage this issue to run arbitrary code for stealing cookie-based authentication credentials or execute other attacks. CityPost Image version 52.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/13257/discussion/
  • 05.16.72 - CVE: Not Available
  • Platform: Web Application
  • Title: CityPost PHP Image Editor M3 URI Parameter Cross-Site Scripting
  • Description: CityPost Image Cropper/Resizer is a PHP script that is designed to manipulate a JPEG image. CityPost Image Cropper/Resizer is affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "m3" parameter of the "image-editor-52.php" script.
  • Ref: http://www.securityfocus.com/bid/13258
  • 05.16.73 - CVE: Not Available
  • Platform: Web Application
  • Title: phpbb-Auction Module Auction_Offer.PHP SQL Injection Vulnerability
  • Description: phpbb-Auction module is an auction system for phpBB. phpbb-Auction module is affected by an SQL injection vulnerability. phpbb-Auction versions 1.2 and earlier are known to be vulnerable.
  • Ref: http://www.snkenjoi.com/secadv/secadv9.txt
  • 05.16.74 - CVE: Not Available
  • Platform: Web Application
  • Title: EcommProV3 Admin/Login.ASP SQL Injection
  • Description: EcommProV3 is web-based shopping cart system implemented in ASP. EcommProV3 is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "AdminPWD" parameter of "admin/login.asp" before using it in an SQL query. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. EcommProV3 version 3.0 is vulnerable.
  • Ref: http://www.ihssecurity.com/download/advisory/ecomerce-cart.txt
  • 05.16.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Netref Cat_for_gen.PHP Remote PHP Script Injection
  • Description: A remote PHP script injection vulnerability affects Netref. This issue is due to a failure of the application to sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary PHP script code in the context of an affected Web server. This will facilitate a compromise of the host computer. Netref version 4.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/396376
  • 05.16.76 - CVE: Not Available
  • Platform: Web Application
  • Title: CityPost Simple PHP Upload Cross-Site Scripting
  • Description: CityPost Simple PHP Upload is a PHP script that provides file upload functionality for a Web site. It is affected by a cross-site scripting vulnerability. CityPost Simple PHP Upload versions 53.0 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13170/info/
  • 05.16.77 - CVE: CAN-2005-1162
  • Platform: Web Application
  • Title: OneWorldStore DisplayResults.ASP Cross-Site Scripting
  • Description: OneWorldStore is web-based storefront software implemented is ASP. OneWorldStore is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "sIDSearch" parameter of "DisplayResults.asp". An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user.
  • Ref: http://oneworldstore.com/support_security_issue_updates.asp
  • 05.16.78 - CVE: CAN-2005-1179
  • Platform: Network Device
  • Title: Xerox MicroServer SNMP Authentication Bypass Vulnerability
  • Description: Xerox MicroServer is a server utility that includes a web server. A vulnerability exists in the application allowing remote attackers to gain access to sensitive information or modify SNMP settings without requiring authentication. Please check the link below for a list of vulnerable versions.
  • Ref: http://a1851.g.akamaitech.net/f/1851/2996/24h/cacheA.xerox.com/downloads/usa/en/
    c/cert_XRX05_005.pdf
  • 05.16.79 - CVE: CAN-2005-1179
  • Platform: Network Device
  • Title: Xerox MicroServer Web Server Authentication Bypass
  • Description: Xerox MicroServer is a server utility that includes a web server. It is enabled by default on Xerox WorkCentre devices. It is vulnerable to default authentication bypass issue which can be exploited to access sensitive information or modify system configurations. Please refer to the link below for affected versions.
  • Ref: http://a1851.g.akamaitech.net/f/1851/2996/24h/cacheA.xerox.com/downloads/usa/en/
    c/cert_XRX05_005.pdf
  • 05.16.80 - CVE: Not Available
  • Platform: Network Device
  • Title: F5 BIG-IP Undisclosed User Interface Vulnerability
  • Description: F5 BIG-IP provides a high-availability load balancing service. A vulnerability exists in the F5 BIG-IP user interface. This issue is exposed when a user simultaneously logs in to the device's web user interface through multiple web clients. F5 BIG-IP versions 9.0.2 to 9.0.4 are affected.
  • Ref: http://www.securityfocus.com/bid/13240/info/

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

SANS always provides the best training and trainers with a vast amount of knowledge.
-Mike Brennan, SSIC

Get an iPad or Nexus 10 with Online Training

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage